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Abstract — This paper discusses the use of computer-aided 
verification as a practical means for analysing quantum infor- 
mation systems; specifically, the BB84 protocol for quantum key 
distribution is examined using this method. This protocol has 
been shown to be unconditionally secure against all attacks in 
an information-theoretic setting, but the relevant security proof 
requires a thorough understanding of the formalism of quantum 
mechanics and is not easily adaptable to practical scenarios. 
Our approach is based on probabilistic model-checking; we have 
used the PRISM model-checker to show that, as the number of 
qubits transmitted in BB84 is increased, the equivocation of the 
eavesdropper with respect to the channel decreases exponentially. 
We have also shown that the probability of detecting the presence 
of an eavesdropper increases exponentially with the number 
of qubits. The results presented here are a testament to the 
effectiveness of the model-checking approach for systems where 
analytical solutions may not be possible or plausible. 

I. Introduction 

That quantum-mechanical phenomena can be effectively 
exploited for the storage, manipulation and exchange of in- 
formation is now a widely recognised fact. The whole field of 
quantum information poses new challenges for the information 
theory community and involves several novel applications, 
especially with respect to cryptology. 

Recent interest in quantum cryptography has been stim- 
ulated by the fact that quantum algorithms, such as Shor's 
algorithms for integer factorization and discrete logarithm 
[1], threaten the security of classical cryptosystems. A range 
of quantum cryptographic protocols for key distribution, bit 
commitment, oblivious transfer and other problems [2] have 
been extensively studied. Furthermore, the implementation of 
quantum cryptographic protocols has turned out to be signifi- 
cantly easier than the implementation of quantum algorithms: 
although practical quantum computers are still some way in the 
future, quantum cryptography has already been demonstrated 
in non-laboratory settings [3] and is well on the way to 
becoming an important technology. 
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Quantum cryptographic protocols are designed with the 
intention that their security is guaranteed by the laws of 
quantum physics. Naturally it is necessary to prove, for any 
given protocol, that this is indeed the case. The most notable 
result in this area is Mayers' proof [4] of the unconditional 
security of the quantum key distribution protocol "BB84" [5]. 
This proof guarantees the security of BB84 in the presence 
of an attacker who can perform any operation allowed by 
quantum physics; hence the security of the protocol will not be 
compromised by future developments in quantum computing. 

Mayers' result, and others of the same kind [6], [7], [8], 
are extremely important contributions to the study of quantum 
cryptography. However, a mathematical proof of security of 
a protocol does not in itself guarantee the security of an 
implemented system which relies on the protocol. Experience 
of classical cryptography has shown that, during the progres- 
sion from an idealised protocol to an implementation, many 
security weaknesses can arise. For example: the system might 
not correctly implement the desired protocol; there might be 
security flaws which only appear at the implementation level 
and which are not visible at the level of abstraction used in 
proofs; problems can also arise at boundaries between systems 
and between components which have different execution mod- 
els or data representations. We therefore argue that it is worth 
analysing quantum cryptographic systems at a level of detail 
which is closer to a practical implementation. 

Computer scientists have developed a range of techniques 
and tools for the analysis and verification of communication 
systems and protocols. Those particularly relevant to security 
analysis are surveyed by Ryan et al. [9]. This approach has 
two key features. The first is the use of formal languages 
to precisely specify the behaviour of the system and the 
properties which it is meant to satisfy. The second is the use of 
automated software tools to either verify that a system satisfies 
a specification or to discover flaws. These features provide a 
high degree of confidence in the validity of systems, and the 
ability to analyse variations and modifications of a system very 
easily. 

In this paper we present the results of applying the above 
methodology to the BB84 quantum key distribution protocol. 



We have carried out an analysis using PRISM 1 , a probabilistic 
model-checking system. Our results confirm the properties 
which arise from Mayers' security proof; more significantly, 
they demonstrate the effectiveness of the model-checking 
approach and the ease with which parameters of the system 
can be varied. 

Our model could easily be adapted to describe variations 
and related protocols, such as "B92" and Ekert's protocol 
([10], [11] describe these protocols in detail). Also, our 
model can be modified to account for implementation-level 
concerns, such as imperfections in photon sources, channels, 
and detectors. 



II. Quantum Key Distribution 
and Security Criteria 

The objective of key distribution is to enable two commu- 
nicating parties, Alice and Bob, to agree on a common secret 
key k E {0, 1}^, N > 0, without sharing any information 
initially. Once a common secret key has been established, 
Alice and Bob can use a symmetric cryptosystem to exchange 
messages privately. In a classical (i.e. non-quantum) setting, it 
is quite impossible to perform key distribution securely unless 
assumptions are made about the enemy's computational power 
[10]. 

The use of quantum channels, which cannot be tapped or 
monitored without causing a noticeable disturbance, makes 
unconditionally secure key distribution possible. The presence 
of an enemy is made manifest to the users of such channels 
through an unusually high error rate. We will now describe 
the BB84 scheme for quantum key distribution, which uses 
polarised photons as information carriers. 

BB84 assumes that the two legitimate users are linked by 
two specific channels, which the enemy also has access to: 

1) a classical, possibly public channel, which may be pas- 
sively monitored but not tampered with by the enemy; 

2) a quantum channel which may be tampered with by an 
enemy. By its very nature, this channel prevents passive 
monitoring. 

The first phase of BB84 involves transmissions over the 
quantum channel, while the second phase takes place over 
the classical channel. 

Convention 1: The pair of quantum states {|0) , |1)} is the 
rectilinear basis of the Hilbert space and is denoted by 
ffl. 

Convention 2: The pair of quantum states 
{ i (|Q} + |1)) l (|0)-|1))} is the diagonal basis of 
the Hilbert space J^, and is denoted by 

Definition 1: The encoding function /bb84 : D x B i— > Jffi 

^ee lhttp: / /www, cs .bham. ac . uk/ ~dxp/prism| 



where D = {0, 1}, B = {ffl, is defined as follows: 

/BB84(0,ffl) = |0) (1) 
/ B B84(l,ffl) = |1) (2) 

/BB84(0,K) = i(|0) + |l)) (3) 

/bb84(1,^) = -J=(|0>-|1» (4) 
The BB84 protocol can be summarised as follows: 

1) First Phase (Quantum Transmissions) 

a) Alice generates a random string of bits d E 
{0, 1}™, and a random string of bases b E {ffl, H}™, 
where n > N. 

b) Alice places a photon in quantum state \ipi) = 
fBB84(di, hi) for each bit di in d and 6j in b, and 
sends it to Bob over the quantum channel. 

c) Bob measures each received, with respect to 
either ffl or El, chosen at _random. Bob's measure- 
ments produce a string d' E {0, 1}™, while his 
choices of bases form b' E {ffl, M} n . 

2) Second Phase (Public Discussion) 

a) For each bit di in d: 

i) Alice sends the value of b, t to Bob over the 
classical channel. 

ii) Bob responds by stating whether he used the 
same basis for measurement. If b[ ^ bi, both 
di and d\ are discarded. 

b) Alice chooses a subset of the remaining bits in d 
and discloses their values to Bob over the classical 
channel. If the result of Bob's measurements for 
any of these bits do not match the values disclosed, 
eavesdropping is detected and communication is 
aborted. 

c) The common secret key, k E {0, 1}^, is the string 
of bits remaining in d once the bits disclosed in 
step 2b) are removed. 

There are two points to note in order to understand BB84 
properly. Firstly, measuring with the incorrect basis yields a 
random result, as predicted by quantum theory. Thus, if Bob 
chooses the [3 basis to measure a photon in state |1), the 
classical outcome will be either or 1 with equal probability; 
if the ffl basis was chosen instead, the classical outcome would 
be 1 with certainty. Secondly, in step 2b) of the protocol, Alice 
and Bob perform a test for eavesdropping. The idea is that, 
wherever Alice and Bob's bases are identical (i.e. b' i = bi), 
the corresponding bits should match (i.e. d[ — di). If not, an 
external disturbance has occurred, and on a noiseless channel 
this can only be attributed to the presence of an eavesdropper. 
For more information, the reader is referred to [10], [11]. 

We turn now to the formal security requirements for BB84. 
Among other things, a protocol such as BB84 must ensure that 
an enemy's presence is always made manifest to the legitimate 
users and that, if a key does result from the procedure, 
it is unpredictable and common to both users. But most 
importantly, the protocol must ensure privacy: an enemy must 



never be able to obtain the value of the key. Moreover, even 
if an enemy is able to obtain a certain quantity of information 
v by trying to monitor the classical channel, that quantity has 
to be minimal; meanwhile, the enemy's uncertainty about the 
key, H(fc|w), must be maximised. 

Definition 2: The conditional entropy of the key k (of 
length AO given the view v is defined as: 

H*(£|S) = -p^£$>r{M}log(Pr{fc|v}) 

r ^ ' k v 

Such requirements are usually expressed in terms of se- 
curity parameters. For quantum key distribution, the security 
parameters are conventionally written n and e. The parameter 
n is the number of quantum states transmitted, while <f denotes 
collectively the tolerated error rate, the number of bits used to 
test for eavesdropping, and related quantities [4]. We use the 
parameter n instead of the key length N, as these are assumed 
to be linearly related. For instance, the value of K(k\v) is 
some function of n and e: H(fc|t7) = <p(n,e). The proof [4] 
stipulates that K(k\v) should be exponentially small in n and 
e. Formally, 



ip(n, e) ^ c • e" 
lim ip(n, e) = 

n — >oo 



-gn 



(5) 
(6) 



noting that the choice of n over N as the parameter only 
changes the value of the constant g, and not the functional 
relationship. We will demonstrate later for BB84 that, the 
probability that an enemy succeeds in obtaining more than 
^ key bits correctly is a function of the form 

Mayers' security proof of BB84 formalises the notion of 
privacy by defining a quantum key distribution protocol as 
"/-private," if, for every strategy adopted by an enemy, the 
average of the quantity N — H(k\v) is less than or equal to 
some constant /. This definition of privacy merely requires 
the key to be uniformly distributed, when the key length N 
is known. A more conventional privacy definition would have 
required that the mutual information l(k,v) be less than or 
equal to k, but this is not entirely satisfactory [4]. 

III. Model Checking Techniques 
and the PRISM Tool 

The theoretical proof of BB84's security is a significant 
and valuable result. However, to prove a similar result for a 
different scheme or cryptographic task is far from trivial and 
is likely to involve new, ever more specialised derivations. A 
more flexible approach to analysing the security of quantum 
cryptographic protocols is clearly desirable. Manufacturers of 
commercial quantum cryptographic systems [12], for instance, 
require efficient and rigorous methods for design and testing. A 
suitable approach should allow for modelling implementation- 
level details and even minor protocol variations with relative 
ease. We believe that model-checking is such an approach, and 
we will demonstrate its application to BB84. 

Model-checking is an automated technique for verifying 
a finite-state system against a given temporal specification 



[13]. Using a specialised software tool (called a model- 
checker), a system implementor can mechanically prove that 
the system satisfies a certain set of requirements. To do this, 
an abstract model, denoted a, is built and expressed in a 
description language; also, the desired behaviour of the system 
is expressed as a set of temporal formulae, $i. The model and 
the formulae are then fed into the model-checker, whose built- 
in algorithms determine conclusively whether a satisfies the 
properties defined by the $i (i.e. whether a |= for each 
property Model-checking should not be confounded with 
computer-based simulation techniques, which do not involve 
an exhaustive search of all possibilities. 

For systems which exhibit probabilistic behaviour, a varia- 
tion of this technique is used; a probabilistic model-checker, 
such as PRISM [14], computes the probability 



Pr{a \= $J 



(7) 



for given a and PRISM models are represented by 
probabilistic transition systems, and are written in a simple 
guarded-command programming language. System properties 
for PRISM models are written in Probabilistic Computation 
Tree Logic (PCTL). 

PRISM allows models to be parameterised: a = 
a(ui, . . . , itfe). Thus the probability may be computed for 
different values of ui, ... , it/-; this is termed an experiment. 
By varying one parameter at a time, it is possible to produce 
a meaningful plot of the variation of @. 

IV. Analysis of BB84 using PRISM 

We have built a model of BB84 for use with PRISM. It is 
not possible to present the source code for this model here, due 
to space limitations; however, the full source code is available 
online 2 , and is discussed extensively in [15]. 

A system description in PRISM is a computer file containing 
module definitions, each module representing a component of 
the system. In our description of BB84, there is a module 
corresponding to each party involved in the protocol and a 
module representing the quantum channel. Each module has 
a set of local variables and a sequence of actions to perform; 
an action typically takes one of the following two forms: 



l s \ 9 
H 9 



(^:=vali); (8) 
0.5 : Oi := vali) + 0.5 : {v x := val 2 ); (9) 



In (|8j, the variable V\ is assigned the value vali; in (|9), v\ is 
assigned either the value vali or val 2 with equal probability. 
Part of the expressive power of PRISM comes from the ability 
to specify arbitrary probabilities for actions; for example, one 
could model a bias in Alice's choice of polarisation basis, in 
BB84, with an action such as: 



[choosebasis] true 



0.7 : (aLbasis := ffl) 
-0.3 : (aLbasis := E); 



(10) 



2 See h ttp : //go ■ Warwick . ac ■ uk/nikos/research/publications/ index 



In this example, Alice is biased towards choosing the rec- 
tilinear basis. Knowledge of this syntax is sufficient for an 
understanding of the PRISM description of BB84. In what 
follows, we will discuss the properties which we have been 
able to investigate. 

As discussed in section [H] there are two security require- 
ments for BB84 of interest: 

1) an enemy's presence must not go unnoticed; if the legit- 
imate users know that an enemy is trying to eavesdrop, 
they can agree to use privacy amplification techniques 
[20] and/or temporarily abort the key establishment 
process. 

2) any quantity of valid information which the enemy is 
able to obtain through eavesdropping must be minimal. 

We can use our model of BB84, denoted henceforth by 
cbb84> to compute the probability 



Pr{cr B B84 h $i} 



(ID 



where is a given PCTL property-formula. Therefore, in 
order to verify that BB84 satisfies the security requirements 
just mentioned, we have to reformulate these requirements in 
terms of probability. 

Firstly, we should be able to compute exactly what the 
probability of detecting an enemy is. In our PRISM model, 
we can vary n, the number of photons transmitted in a trial of 
BB84, and so this probability is a function of n. Let us write 
the probability of detecting an enemy as 



-Pdet(n) = Pr{cr B B84 |= $det} 



(12) 



In dl 2b . $dot represents the PCTL formula whose boolean 
value is true when an enemy is detected. Before we give the 
definition of <£>dct, we should state the random event S that 
occurs when an enemy is detected; this will allow us to write 
Pdet(n) as a classical probability Pr(<o"). 

In BB84, an enemy, Eve, is detected as a result of the 
disturbance inevitably caused by some of her measurements. 
Just as Bob, Eve does not know which polarisation bases were 
used to encode the bits in Alice's original bit string. Eve has 
to make a random choice of basis, denoted b", which may or 
may not match Alice's original choice, bi. If b" = bi, Eve 
is guaranteed to measure the i-th photon correctly; otherwise, 
quantum theory predicts that her measurement result will only 
be correct with probability 0.5. 

In a so-called intercept-resend attack, Eve receives each 
photon on the quantum channel, measures it with her basis 
b", obtaining bit value d", and then transmits to Bob a new 
photon, which represents d'[ in the 6" basis. If Eve's basis 
choice is incorrect, her presence is bound to be detected. But 
for detection to occur, Bob must choose the correct basis for 
his measurement. Whenever Bob obtains an incorrect bit value 
despite having used the correct basis, this is because an enemy 
has caused a disturbance. Note that we are assuming a perfect 
quantum channel here; an imperfect channel would produce 
noise, causing additional disturbances. 



So, to summarise, an enemy's presence is made manifest as 
soon as the following event occurs: 

(b" 7^ h) A (bl = bi) for some i < n 
or equivalently, as soon as: 

§={b\ = bi) A (d't ^ di) for some i ^ n (13) 

Therefore, the probability of detecting an enemy's presence 
in BB84 may be written: 

P dct (n) =Pr{^} 

= Pr{(&^ = bi) A (d- ^ di) for some i < n} 

The corresponding PCTL formula for PRISM is: 



4> 



dct 



{true U (&■ = bi) A {d[ ^ di)} 



The PRISM model of BB84 uses elaborate variable names, 
e.g. bob_basis instead of b'^ and alice_bit instead of di. 

The value of Pdct( n ) f° r 5 ^ n ^ 30 has been calculated 
with PRISM, which computes d!2l >; the result is shown in 
Figure 1. 
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Fig. 1. The probability that Eve is detected in the BB84 Protocol while 
performing an intercept-resend attack, as a function of the security parameter 
n. The crosses indicate data points produced by PRISM, while the dotted 
curve is a non-linear least-squares fit to these points. 

The first requirement for BB84, namely that it should be 
possible to detect an enemy's presence, clearly is satisfied. 
As we can see from Figure 1, as the number of photons 
transmitted is increased, the probability of detection tends 
toward 1, i.e. we conclude that 

lim PdetW = 1 

n — >oo 

We will now consider the second security requirement. Let 
% denote the event in which Eve measures the i-th photon 
transmitted correctly. The probability that Eve measures all 
photons correctly, and hence is able to obtain the secret key, 
is the product 

P M = 1] Pr{^} = Pr{^i}Pr{^ 2 }---Pr{^„} 

We will examine the variation of a quantity proportional to 
P a ib namely the probability P> 1/2(71) that Eve measures more 
than half the photons transmitted correctly. 



According to the second security requirement for BB84, the 
amount of valid information obtained by an enemy must be 
minimised; we will investigate the variation of the probability 

P>l/2(n) = Pr{cr B B84 |= $>l/2} 

as a function of the number of photons transmitted. We expect 
this quantity to grow smaller and smaller with n. 

The PRISM model of BB84 includes a counter variable, nc, 
whose value is the number of times that Eve makes a correct 
measurement. The formula <E> >1 / 2 ma Y be written in terms of 
this variable: 

*>i/2 = {true W (nc > |)} 

Given (TBB84 an d ^>i/2> PRISM produces the plot shown in 
Figure 2; it can be seen from the figure that P>\/2{ n ) decays 
exponentially with n. 

1 1- 
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Fig. 2. The probability that Eve, by performing an intercept-resend attack, 
makes more than ^ correct measurements in BB84, versus the security 
parameter n. 

Figures 1 and 2 each contain two superimposed plots: the 
data points marked with crosses are actual values produced 
by PRISM, and the dotted curves are nonlinear functions to 
which the data points have been fitted. We have used the 
Levenberg-Marquardt nonlinear fitting algorithm to compute 
values ci , C2 , c 3 and C4 such that: 



described by a PRISM action such as (II 01 . This influences 
the performance of BB84; it alters the variation of both 
-Pdct("0 and P >1 / 2 (n). It is also possible to vary a posteriori 
probabilities with PRISM, such as the probability that, for any 
given transmission, the enemy's choice of measurement basis 
matches Alice's original choice. This probability is not usually 
taken into consideration in manual proofs, and is likely to be 
useful for modelling more sophisticated eavesdropping attacks. 

It should be noted that the results presented here are not 
as general as Mayers'. For instance, we have assumed that a 
noiseless channel is being used, and we have only considered 
a finite number of cases (namely, where 5 ^ n < 30). Related 
techniques from computer science, which are better suited 
for a full proof of unconditional security, do exist; the most 
appropriate of these is automated theorem proving [13]; we 
will leave this for future work. This technique is not restricted 
to finite scenarios, and can provide the generality needed for 
a more extensive analysis. 

V. Conclusions 

In this paper we have analysed the security of the BB84 
protocol for quantum key distribution by applying formal 
verification techniques, which are well-established in theo- 
retical computer science. In particular, an automated model- 
checking system, PRISM, was used to obtain results which 
corroborate Mayers' unconditional security proof of the pro- 
tocol. Compared to manual proofs of security, our approach 
offers several advantages. Firstly, it is easily adapted to cater 
for other quantum protocols. It also allows us to analyse 
composite systems, which include both classical and quantum- 
mechanical components. Finally, we are not only able to 
model abstract protocols — as presented here — but concrete 
implementations as well. 



fdet(n) «l-ci exp[-c 2 n] 
P>i/2{n) ~ c 3 exp[-c 4 n] 

In particular, the values obtained are (to three decimal 
places): c x = 1, c 2 = 0.134, c 3 = 0.909, and c 4 = 0.081. It 
is evident that, increasing the number of photons transmitted, 
or equivalently, the length of the bit sequence generated by 
Alice, increases BB84's capability to avert an enemy: the 
probability of detecting the enemy increases exponentially, 
while the amount of valid information the enemy has about 
the key decreases exponentially. 

These results are in agreement with Mayers' claim (see 
[4]), that "in an information-theoretic setting, which is our 
case, a quantity Jm such as the amount of Shannon's infor- 
mation available to Eve must decrease exponentially fast as 
N increases." Remember, we have assumed that the number 
of transmissions, n, is linearly related to N. 

Variations in the protocol can be accommodated easily by 
modifying the PRISM model. For example, in [16] a bias 
in Alice's choice of basis is introduced, and this can be 
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